webmin

Webmin (pre 1.290) Exploit

In late June 2006 Security researchers discovered a webmin flaw that lets anyone (even someone without a webmin login) read any file on your server.

http://www.webmin.com/security.html

This is obviously quite serious. e.g. we believe this security flaw could be used to read the /etc/shadow file. And hackers could then more easily identify what user accounts are on your server and what passwords are being used.

If you have not had webmin running since June 2006 then you are likely not affected by this.

If you have been using webmin then:

• log in to stop it.
• upgrade webmin to the latest version.
• change your passwords _and_ any other user's passwords you may have set on the server.
• check the output of last -a to identify any unknown logins

Action Taken By RimuHosting

RimuHosting installs webmin for customers who request/select it when ordering. So we have had customers running vulnerable versions of Webmin. On servers we have access to we have:

• initially tried to stop webmin running on any server we have access to
• upgraded webmin on servers that have webmin installed already
• disabled webmin on servers that did not want to upgrade

Stopping Webmin

To stop webmin you can run the following code. Just paste it into an ssh session while running as root. It will stop webmin via the init script. Else it will find/kill webmin processes.

if [ -e /etc/init.d/webmin ]; then
/etc/init.d/webmin stop
fi
webminline=$(ps auxf --width=200 | grep '[m]iniserv.co')
if [ ! -z "$webminline" ] ; then
echo killing off webmin
kill -9 $(echo $webminline | awk '{print $2}')
ps auxf --width=200 | grep '[m]iniserv.co'
fi

Upgrading Webmin

To see what version of webmin you have, execute

cat /etc/webmin/version

If the version is 1.290 or newer (and webmin is not running) then just start it up with /etc/init.d/webmin start.

If the version is older than 1.290 then you will need to upgrade webmin (or just not use it any more).

You can upgrade webmin via the webmin UI if webmin is running. Else run the following code:

if which rpm 2>&1 > /dev/null ; then
mkdir -p /etc/webmin
rpm -Uvfh "http://apt.rimuhosting.com/webmin.rpm"
fi
if which dpkg 2>&1 > /dev/null ; then
wget -q "http://apt.rimuhosting.com/webmin.deb"
dpkg -i webmin.deb
fi

Disabling Webmin For Good

If you do not use webmin then now may be a good time to disable it to protect yourself from any future vulnerabilities. Run this:

if [ -e /etc/init.d/webmin ]; then
echo taking care of the webmin init script
which chkconfig 2>&1 > /dev/null && chkconfig --del webmin
which update-rc.d 2>&1 > /dev/null && update-rc.d webmin purge
/etc/init.d/webmin stop
rm -rf /etc/init.d/webmin
fi
webminline=$(ps auxf --width=200 | grep '[m]iniserv.co')
if [ ! -z "$webminline" ] ; then
echo killing off webmin
kill -9 $(echo $webminline | awk '{print $2}')
ps auxf --width=200 | grep '[m]iniserv.co'
fi
if [ -e /etc/webmin ]; then
mv /etc/webmin /etc/webmin.insecureversion
fi

Changing Passwords

If you were running a non-1.290 webmin at any point after June 2006 then your passwords may have been compromised. And other files on your server may have been viewed.

You can see who has logged in recently by running last -a.

You can change passwords via the passwd username command.

You can see which users have passwords set by running (via ssh, as root):

cat /etc/shadow | grep -v --fixed-strings ':!!:' | grep -v --fixed-strings ':*:'

The first name in each of those lines is a user that has a password set.

To see what attempts have been made to exploit your webmin setup run:

logfile=/var/webmin/miniserv.log
if [ -e /var/log/webmin/miniserv.log ] ; then
logfile=/var/log/webmin/miniserv.log
fi
grep unauthen $logfile  | grep -v jpg | grep -v 404

e.g. if that command outputs something like the following then someone has attempted to access (in this example) the /etc/shadow file:

64.62.158.196 - - [05/Aug/2006:16:26:32 -0400] "GET /unauthenticated//..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/etc/shadow HTTP/1.1" 200 1634

The 200 bit (at the end of the line) indicates the file was found/returned OK.

Running Webmin on LocalHost

OK, the latest version fixes the problem. But what if there is another problem in the future. Well, you can make it so that webmin is only accessible via ssh. You can do this via a SSH tunnel.

To setup a tunnel via SSH use: ssh -L 10000:localhost:10000 yourserverip to ssh to the server. If you are using Putty as your SSH client you can go to the SSH Tunnel page and add a Source port of 10000 and a Destination of localhost:10000.

Now you can access webmin from your PC as https://localhost:10000/ while you have that SSH session running.

Then use Webmin's Ports and Addresses to set webmin to listen only on the 127.0.0.1 IP/address.

Webalizer module problems

Is webalizer showing stats for all sites, and not the virtual host log you want it to? Go to the modules main page, look down at the bottom of the page for the button that says "Edit Global Options".

Delete the absolute path for the history and incremental files, usually just webalizer.hist and webalizer.current should appear in these boxes with no path specified. You want to leave an absolute path for the DNS cache file, usually /var/lib/webalizer/dns_cache.db. That way all vhosts can share the cache.

Webalizer-mod docs are here: http://doxfer.com/Webmin/WebalizerLogfileAnalysis

Getting Help

If you have any _general_ comments/suggestions/questions then these can be posted at http://forums.rimuhosting.com/forums/showthread.php?p=795#post795 . If you (are a rimuhosting customer and) need _specific_ help with anything related to this issue, please pop in a support ticket.